HIPAA Q&A

[Editor’s note: This periodic column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Hospital Home Health, American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: How should a home health agency proceed if a patient agrees with only portions of the privacy notice?

Answer: "A patient does not agree or disagree with the notice of privacy practices," points out John C. Gilliland II, an Indianapolis-based health care attorney. "It is a notice of the provider’s privacy practices, not something to which a patient must agree," he explains. The provider must give a copy of its notice of privacy practices to the patient and attempt to obtain the patient’s written acknowledgment that he or she received it, he says.

If the written acknowledgment cannot be obtained, the provider must document the efforts it made to obtain the patient’s acknowledgment and why the acknowledgement was not obtained, he adds. The form that the patient is asked to sign is an acknowledgment of receipt of the privacy notice, not of agreement or understanding, says Gilliland.

Question: When a patient asks a home health agency to restrict the disclosure of information beyond that provided in the agency’s privacy notice, does the agency have to comply?

Answer: "No, the provider does not have to comply," Gilliland says. "An individual has the right to request restriction on the use and disclosure of his or her protected health information." However, the provider does not have to comply if the patient’s request goes beyond the provider’s normal disclosure restriction, he adds.

Question: Can a home health agency post thank-you letters from patients on a bulletin board that can be seen by staff and other patients?

Answer: "In my opinion, they cannot post the letters unless the letters are de-identified so they no longer constitute protected health information," Gilliland says. "De-identification" is a process under the privacy rule by which health information is made to no longer be individually identifiable. "Typically, it requires removing all of 18 identifiers stated in the privacy rule including names, geographic subdivisions smaller than a state, most zip codes, telephone numbers, and medical record numbers," he says.

For more information on the nuances of HIPAA privacy regulations, contact:

• John C. Gilliland II, Gilliland & Caudill, LLP, 6650 Telecom Drive, Suite 100, Indianapolis, IN 46278. Telephone and fax: (317) 616-3647. E-mail: jcg@gilliland.com. Gilliland is the author of HIPAA Privacy Compliance Resource Manual. For more information about the manual, go to www.gilliland.com.